Legal claims defining the scope of protection, as filed with the USPTO.
1. A network security device comprising: one or more processors; and a non-transitory storage device having embodied therein instructions representing: a traffic file receive module, which when executed by the one or more processors receives a traffic file containing therein network traffic of a private network that has been captured and stored; a network traffic protocol determination module, which when executed by the one or more processors avoids affecting network traffic performance within the private network by performing post processing of the received traffic file, including: determining whether the network traffic relates to a network protocol that is potentially indicative of existence of a network security threat within the private network; and when said determining is affirmative, detecting the existence of the network security threat by evaluating the received traffic file against traffic patterns associated with existence of one or more of a plurality of known network security threats within the private network, wherein the traffic patterns discover communication between a botnet or an Advanced Persistent Threat (APT) and a command and control server and wherein the traffic patterns include: a first detection rule that (i) performs decryption of encrypted data contained within a Hypertext Transfer Protocol (HTTP) POST request to produce plaintext data and (ii) compares the plaintext data to a first detection pattern; and a second detection rule that (i) performs decryption of an encrypted payload of a dofoil network traffic protocol stream to produce a plaintext result and (ii) compares the plaintext result to a second detection pattern; and a malware reporting module, which when executed by the one or more processors reports details regarding the network security threat of the plurality of known network security threats when the network traffic protocol determination module determines existence of the network security threat within the private network.
2. The network security device of claim 1 , wherein the network security threat comprises a client system within the private network that has been infected with a malicious bot associated with a known botnet or an Advanced Persistent Threat (APT), and wherein the details regarding the network security threat include one or a combination of a name of the known botnet, a name of the APT name, information regarding a protocol used to communicate between the client system and a command and control server associated with the known botnet or the APT.
3. The network security device of claim 2 , wherein the malware reporting module further reports the network security threat to an Intrusion Protection System (IPS) protecting the private network.
4. The network security device of claim 2 , wherein the malware reporting module further directs an Intrusion Protection System (IPS) protecting the private network to block traffic to and from the client system or submit a uniform resource locator (URL) associated with the command and control server to a web-filter to intercept access to the URL.
5. The network security device of claim 1 , wherein the network security threat comprises any or a combination of a grayware, spyware or malware based threat, a bitcoin miner based threat or a Remote Access Tool (RAT) based threat.
6. The network security device of claim 1 , wherein the first detection pattern and the second detection pattern are selected from a set comprising regular expression based patterns, string match based patterns, and script language implemented patterns.
7. The network security device of claim 1 , wherein the network traffic comprises any or a combination of Hypertext Transfer Protocol (HTTP) traffic, Internet Relay Chat (IRC) traffic, and unclassified application traffic.
8. A method comprising: receiving, at a network security device protecting a private network, a traffic file containing therein network traffic associated with the private network that has been captured and stored; avoiding affecting network traffic performance within the private network by performing post processing, by the network security device, of the received traffic file, including: determining whether the network traffic relates to a network protocol that is potentially indicative of existence of a network security threat within the private network; and when said determining is affirmative, detecting the existence of the network security threat by evaluating the received traffic file against traffic patterns associated with existence of one or more of a plurality of known network security threats within the private network, wherein the traffic patterns discover communication between a botnet or an Advanced Persistent Threat (APT) and a command and control server and wherein the traffic patterns include: a first detection rule that (i) performs decryption of encrypted data contained within a Hypertext Transfer Protocol (HTTP) POST request to produce plaintext data and (ii) compares the plaintext data to a first detection pattern; and a second detection rule that (i) performs decryption of an encrypted payload of a dofoil network traffic protocol stream to produce a plaintext result and (ii) compares the plaintext result to a second detection pattern; and reporting, by the network security device, details regarding the network security threat when existence of the network security threat is detected.
9. The method of claim 8 , wherein the network security threat comprises a client system within the private network that has been infected with a malicious bot associated with a known botnet or an Advanced Persistent Threat (APT), and wherein the details regarding the network security threat include one or a combination of a name of the known botnet, a name of the APT name, information regarding a protocol used to communicate between the client system and a command and control server associated with the known botnet or the APT.
10. The method of claim 8 , wherein said reporting comprises informing, by the network security device, an Intrusion Protection System (IPS) protecting the private network regarding the network security threat.
11. The method of claim 9 , further comprising directing, by the network security device, the IPS to block traffic to and from the client system or submit a uniform resource locator (URL) associated with the command and control server to a web-filter to intercept access to the URL.
12. The method of claim 8 , wherein the network security threat comprises any or a combination of a grayware, spyware or malware based threat, a bitcoin miner based threat or a Remote Access Tool (RAT) based threat.
13. The method of claim 8 , wherein the first detection pattern and the second detection pattern are selected from a set comprising regular expression based patterns, string match based patterns, and script language implemented patterns.
14. A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a network security device protecting a private network, causes the one or more processors to perform a method comprising: receiving a traffic file containing therein network traffic associated with the private network that has been captured and stored; avoiding affecting network traffic performance within the private network by performing post processing of the received traffic file, including: determining whether the network traffic relates to a network protocol that is potentially indicative of existence of a network security threat within the private network; and when said determining is affirmative, detecting the existence of the network security threat by evaluating the received traffic file against traffic patterns associated with existence of one or more of a plurality of known network security threats within the private network, wherein the traffic patterns discover communication between a botnet or an Advanced Persistent Threat (APT) and a command and control server and wherein the traffic patterns include: a first detection rule that (i) performs decryption of encrypted data contained within a Hypertext Transfer Protocol (HTTP) POST request to produce plaintext data and (ii) compares the plaintext data to a first detection pattern; and a second detection rule that (i) performs decryption of an encrypted payload of a dofoil network traffic protocol stream to produce a plaintext result and (ii) compares the plaintext result to a second detection pattern; and reporting details regarding the network security threat when existence of the network security threat is detected.
15. The non-transitory computer-readable storage medium of claim 14 , wherein the network security threat comprises a client system within the private network that has been infected with a malicious bot associated with a known botnet or an Advanced Persistent Threat (APT), and wherein the details regarding the network security threat include one or a combination of a name of the known botnet, a name of the APT name, information regarding a protocol used to communicate between the client system and a command and control server associated with the known botnet or the APT.
16. The non-transitory computer-readable storage medium of claim 14 , wherein said reporting comprises informing an Intrusion Protection System (IPS) protecting the private network regarding the network security threat.
17. The non-transitory computer-readable storage medium of claim 16 , further comprising directing the IPS to block traffic to and from the client system or submit a uniform resource locator (URL) associated with the command and control server to a web-filter to intercept access to the URL.
18. The non-transitory computer-readable storage medium of claim 14 , wherein the network security threat comprises any or a combination of a grayware, spyware or malware based threat, a bitcoin miner based threat or a Remote Access Tool (RAT) based threat.
19. The non-transitory computer-readable storage medium of claim 14 , wherein the first detection pattern and the second detection pattern are selected from a set comprising regular expression based patterns, string match based patterns, and script language implemented patterns.
Unknown
September 25, 2018
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.